OraFAQ Forum: Security » Key Points on Database security best practices

Home » RDBMS Server » Security » Key Points on Database security best practices (Oracle 11gR2)

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Key Points on Database security best practices [message #618964]

Thu, 17 July 2014 00:44

hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA

Member

Hello All,

Can you please help me with bullet points on Database security best practices?

Many Thanks in advance.

Report message to a moderator

Re: Key Points on Database security best practices [message #618965 is a reply to message #618964]

Thu, 17 July 2014 00:50

tarundua
Messages: 1080
Registered: June 2005
Location: India

Senior Member

Can you please be more elaborative on what exactly you are looking for?

Database profiles, auditing....

Report message to a moderator

Re: Key Points on Database security best practices [message #618966 is a reply to message #618965]

Thu, 17 July 2014 00:58

hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA

Member

Thanks for quick reply,

Mainly I am looking for Database profiles(User access to Database architect, Senior DBA, Junior DBA access)

Report message to a moderator

Re: Key Points on Database security best practices [message #618968 is a reply to message #618966]

Thu, 17 July 2014 01:02

Michel Cadot
Messages: 68732
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

More specifically?

Report message to a moderator

Re: Key Points on Database security best practices [message #618970 is a reply to message #618968]

Thu, 17 July 2014 01:07

hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA

Member

Mainly I am looking for following -

What all profile / roles grant to Database architect?
What all profile / roles grant to Junior DBA?
What all profile / roles grant to Senior DBA?
As they do not want even DBA to see the sensitive data, so what all privileges to grant to DBA's so DBA can work on all DB related activities but without damaging the sensitive data.

Thanks in advance.

Report message to a moderator

Re: Key Points on Database security best practices [message #618976 is a reply to message #618970]

Thu, 17 July 2014 01:31

Michel Cadot
Messages: 68732
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

These are your enterprise notions, there is no such general notions, each enterprise chooses what they mean for them.
Have a look at the following post:
http://www.orafaq.com/forum/m/486121/?srch=dba_level#msg_486121

Report message to a moderator

Re: Key Points on Database security best practices [message #619026 is a reply to message #618970]

Thu, 17 July 2014 07:52

EdStevens
Messages: 1376
Registered: September 2013

Senior Member

hitesh.bhatt wrote on Thu, 17 July 2014 01:07

Mainly I am looking for following -

What all profile / roles grant to Database architect?
What all profile / roles grant to Junior DBA?
What all profile / roles grant to Senior DBA?
As they do not want even DBA to see the sensitive data, so what all privileges to grant to DBA's so DBA can work on all DB related activities but without damaging the sensitive data.

Thanks in advance.

============================================================================

"When I use a word," Humpty Dumpty said in rather a scornful tone, "it means just what I choose it to mean -- neither more nor less."
(Lewis Carroll - Through the Looking Glass)

And so it is with job titles.

The first two places I worked in IT had exactly the same set of job title for what we now refer to as developers. They were

Programmer/Analyst I
Programmer/Analyst II
Programmer/Analyst III

In one shop, the P/A I was entry level and P/A III was senior/team lead
In the other shop, exactly the opposite.

============================================================================
If you want to protect stuff from even the DBA, you need DataVault. But then who do you trust to configure THAT?

Report message to a moderator

Re: Key Points on Database security best practices [message #619032 is a reply to message #619026]

Thu, 17 July 2014 08:27

Michel Cadot
Messages: 68732
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

Maybe it is not a matter of trusting but preventing from juniors doing wrong actions which can hurt the databases.
This was the case, more than security (although it was also there), in the enterprise where I implement the solution I mentioned in the link.

The problem with Database Vailt is organization, you must have a security team that will allow DBA to do some actions and of course this security must be 24/24 7/7 in case something happens during the night that implies to grant some accesses.
Till now I see no enterprise which wants to 1) buy Databa Vault option 2) create a new team or hire new people for the current one.

Report message to a moderator

Re: Key Points on Database security best practices [message #619162 is a reply to message #619032]

Fri, 18 July 2014 09:17

EdStevens
Messages: 1376
Registered: September 2013

Senior Member

Michel Cadot wrote on Thu, 17 July 2014 08:27

The problem with Database Vailt is organization, you must have a security team that will allow DBA to do some actions ...
Till now I see no enterprise which wants to .... 2) create a new team or hire new people for the current one.

And that was what I was getting at. In my admittedly limited experience, I've never seen an implementation of DB Vault, probably for the very reason cited above. That leaves auditors and management often insisting that DBA's implement some hare-brained scheme that that they think will protect the database from the DBA. And it always comes back to the DBA himself being the one to actually implement the scheme. So they don't trust the DBA with the database, but they trust the DBA with the keys that are supposed to protect the database from the DBA ....

Report message to a moderator

Re: Key Points on Database security best practices [message #619766 is a reply to message #619162]

Thu, 24 July 2014 23:31

hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA

Member

Many Thanks to all for details

Report message to a moderator

Re: Key Points on Database security best practices [message #620326 is a reply to message #619162]

Thu, 31 July 2014 04:29

Roachcoach
Messages: 1576
Registered: May 2010
Location: UK

Senior Member

EdStevens wrote on Fri, 18 July 2014 15:17

Michel Cadot wrote on Thu, 17 July 2014 08:27

The problem with Database Vailt is organization, you must have a security team that will allow DBA to do some actions ...
Till now I see no enterprise which wants to .... 2) create a new team or hire new people for the current one.

And that was what I was getting at. In my admittedly limited experience, I've never seen an implementation of DB Vault, probably for the very reason cited above. That leaves auditors and management often insisting that DBA's implement some hare-brained scheme that that they think will protect the database from the DBA. And it always comes back to the DBA himself being the one to actually implement the scheme. So they don't trust the DBA with the database, but they trust the DBA with the keys that are supposed to protect the database from the DBA ....

Security theatre is the best, isn't it?

Really it's a balance between practicality vs security. At the end of the day, you have to trust SOMEONE. Although we did at one point talk about binary style keys with two holders with half each, thankfully that lasted all of ten seconds.

Report message to a moderator

Previous Topic:	How can I audit ALL activity for a specific Client Id?
Next Topic:	Lock the SYS account

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Feb 01 21:37:58 CST 2025